From 52c8336137a97af4843ff8074e7b3478f766f6d8 Mon Sep 17 00:00:00 2001 From: Tomas Halman Date: Feb 16 2019 22:21:50 +0000 Subject: ssh: p11_child error message is too generic We have only one error core for p11_child error. With this patch new error ERR_P11_CHILD_TIMEOUT is introduced. It is then used for better log message. Resolves: https://pagure.io/SSSD/sssd/issue/3937 Reviewed-by: Sumit Bose Reviewed-by: Jakub Hrozek --- diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c index 785b29c..67fbd89 100644 --- a/src/responder/pam/pamsrv_p11.c +++ b/src/responder/pam/pamsrv_p11.c @@ -996,11 +996,13 @@ static void p11_child_timeout(struct tevent_context *ev, struct pam_check_cert_state *state = tevent_req_data(req, struct pam_check_cert_state); - DEBUG(SSSDBG_CRIT_FAILURE, "Timeout reached for p11_child.\n"); + DEBUG(SSSDBG_CRIT_FAILURE, + "Timeout reached for p11_child, " + "consider increasing p11_child_timeout.\n"); child_handler_destroy(state->child_ctx); state->child_ctx = NULL; state->child_status = ETIMEDOUT; - tevent_req_error(req, ERR_P11_CHILD); + tevent_req_error(req, ERR_P11_CHILD_TIMEOUT); } errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, diff --git a/src/responder/ssh/ssh_reply.c b/src/responder/ssh/ssh_reply.c index 2d1d8ef..fc68eb1 100644 --- a/src/responder/ssh/ssh_reply.c +++ b/src/responder/ssh/ssh_reply.c @@ -281,9 +281,15 @@ void ssh_get_output_keys_done(struct tevent_req *subreq) ret = cert_to_ssh_key_recv(subreq, state, &keys, &valid_keys); talloc_zfree(subreq); if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "cert_to_ssh_key request failed, ssh keys derived " - "from certificates will be skipped.\n"); + if (ret == ERR_P11_CHILD_TIMEOUT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "cert_to_ssh_key request timeout, " + "consider increasing p11_child_timeout.\n"); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "cert_to_ssh_key request failed, ssh keys derived " + "from certificates will be skipped.\n"); + } /* Ignore ssh keys from certificates and return what we already have */ tevent_req_done(req); return; diff --git a/src/util/cert/cert_common_p11_child.c b/src/util/cert/cert_common_p11_child.c index aacdb5c..39112f8 100644 --- a/src/util/cert/cert_common_p11_child.c +++ b/src/util/cert/cert_common_p11_child.c @@ -153,10 +153,10 @@ static void p11_child_timeout(struct tevent_context *ev, struct cert_to_ssh_key_state *state = tevent_req_data(req, struct cert_to_ssh_key_state); - DEBUG(SSSDBG_CRIT_FAILURE, "Timeout reached for p11_child.\n"); + DEBUG(SSSDBG_MINOR_FAILURE, "Timeout reached for p11_child.\n"); child_handler_destroy(state->child_ctx); state->child_ctx = NULL; - tevent_req_error(req, ERR_P11_CHILD); + tevent_req_error(req, ERR_P11_CHILD_TIMEOUT); } static errno_t cert_to_ssh_key_step(struct tevent_req *req) diff --git a/src/util/util_errors.c b/src/util/util_errors.c index f07932a..94e641e 100644 --- a/src/util/util_errors.c +++ b/src/util/util_errors.c @@ -88,6 +88,7 @@ struct err_string error_to_str[] = { { "Retrieving keytab failed" }, /* ERR_IPA_GETKEYTAB_FAILED */ { "Trusted forest root unknown" }, /* ERR_TRUST_FOREST_UNKNOWN */ { "p11_child failed" }, /* ERR_P11_CHILD */ + { "p11_child timeout" }, /* ERR_P11_CHILD_TIMEOUT */ { "Address family not supported" }, /* ERR_ADDR_FAMILY_NOT_SUPPORTED */ { "Message sender is the bus" }, /* ERR_SBUS_SENDER_BUS */ { "Subdomain is inactive" }, /* ERR_SUBDOM_INACTIVE */ diff --git a/src/util/util_errors.h b/src/util/util_errors.h index a799bba..e65ccbc 100644 --- a/src/util/util_errors.h +++ b/src/util/util_errors.h @@ -109,6 +109,7 @@ enum sssd_errors { ERR_IPA_GETKEYTAB_FAILED, ERR_TRUST_FOREST_UNKNOWN, ERR_P11_CHILD, + ERR_P11_CHILD_TIMEOUT, ERR_ADDR_FAMILY_NOT_SUPPORTED, ERR_SBUS_SENDER_BUS, ERR_SUBDOM_INACTIVE,